SANS Digital Forensics and Incident Response Blog: Tag - botnet

The following note is inspired by the steps the folks at FireEye Malware Intelligence Lab took to disable the Mega-d/Ozdok bot network. People often wonder what it takes to shut down a botnet. Here are the key steps, which apply to "traditional" botnets, which don't rely heavily on peer-to-peer protocols for their command and control (C&C) implementation; the number of hosts and domains that such botnets use can be sufficiently small that a group or an individual can disrupt the botnet by getting these IPs or domain names shut down.

Note that attempting to interfere with operations of a profitable botnet can be dangerous, as your actions may cause attackers to retaliate. Therefore, consider these steps as informational thoughts, rather than an encouragement to follow FireEye's footsteps.

Obtain a copy of the bot through forensic analysis of a compromised system.

"This course ROCKS! You can not call yourself a Forensics expert without taking the course from Rob Lee!."- Ernie Hernandez, Prosoft

"For my line of work, basic &amp;amp; extensive understanding of the file system is extremely important. The literature and books on file systems for me are very critical &amp;amp; thanks you for them, great reference material"- Vince Ramirez, Las Vegas Metro P.D.

"This course is filling in the blanks in my knowledge of how some things work. It is nice to know what the tools are doing."- Douglas Couch, Purdue University